Service Account for the App Engine Flexible Environment

The App Engine flexible environment includes a Google-managed service
account, the App Engine flexible environment service account, that executes
flexible environment specific tasks on behalf of your apps.

The App Engine flexible environment service account is associated with your
GCP project and allows your project to interact with the resources of
your app separately from other GCP services.

The App Engine flexible environment service account is automatically created in
a GCP project either when:

The first app is deployed to the App Engine flexible environment
using App Engine tooling, for example: gcloud app deploy

Note that the App Engine flexible environment service account is a separate
service account from the App Engine default service account. The App Engine flexible environment service
account is not listed on the Service Accounts page of the GCP Console
and has the following restrictions:

Do not modify the permissions of the App Engine flexible environment service
account.

Verifying the App Engine flexible environment service account

As noted previously, the App Engine flexible environment service
account is not listed on the Service Accounts page of the GCP Console.
So, to verify that the App Engine flexible environment service account exists
in your GCP project, you must view the Permissions page in the
GCP Console:

In the Members list, locate the ID of the App Engine flexible
environment service account.

The App Engine flexible environment service account uses the member ID:service-[YOUR_PROJECT_ID]@gae-api-prod.google.com.iam.gserviceaccount.com

The App Engine flexible environment service account should have the
App Engine Flexible Environment Service Agent role.

Warning: Removing the App Engine flexible environment service account removes
the binding for the service account from your GCP project. If you
remove the binding or change the permissions for the service account,
any deployment to your app in the flexible environment will fail.

Service Agent role

The App Engine flexible environment service account has the App Engine Flexible
Environment Service Agent role that includes a set of permissions needed by the
App Engine to manage your flexible environment apps. For example, this role
includes permissions to perform the following tasks:

Deploying a new version.

Stopping or deleting existing versions.

Automatic weekly restarts and system updates.

The App Engine Flexible Environment Service Agent role should be reserved for
only the App Engine flexible environment service account. You should not use or
assign this IAM role to any user account because the
permissions change without any notice.